This policy defines how SSH host keys are generated, stored, injected, and validated within the **CISS.debian.live.builder** and related CISS Debian images.
## 2.2. Goals
* Ensure cryptographic integrity and correctness of all SSH host keys.
* Avoid accidental corruption (CRLF, re-encoding, line wrapping, tooling side effects).
* Clearly separate deterministic (internal) host keys from non-deterministic (public) host keys.
* Provide predictable behavior for automated deployments while maintaining security guarantees.
## 2.3. Key Classes
We distinguish three key classes:
* Root identity keys (/root/.ssh/id_*):
* Used for controlled bootstrap, orchestration, or internal automation.
* Maybe deterministic in tightly controlled environments.
* Deterministic SSH host keys (CISS internal):
* Pre-generated and injected via the build system.
* Used only for internal / trusted / non-public images.
* Allow infrastructure and automation to reliably identify CISS systems.
* Ephemeral SSH host keys (public or customer-facing images):
* Generated on the first boot or during installation.
* Never shared across distinct deployments.
* Mandatory for any image that is publicly distributed or outside a strictly controlled trust domain.
## 2.4. Generation & Format Requirements
All SSH host keys used with CISS images MUST meet the following requirements:
* Key generation
* Keys MUST be generated using ssh-keygen on a trusted system.
* Recommended minimums:
* Ed25519 for the primary host key.
* RSA 4096 (optional legacy compatibility).
* Keys MUST be in OpenSSH native format:
* ``-----BEGIN OPENSSH PRIVATE KEY-----``
* No experimental or tool-specific formats for host keys.
* Encoding & line discipline
* Files MUST be 7-bit clean ASCII.
* Line endings MUST be LF only.
* No BOM, no trailing spaces, no hidden control characters.
* Keys MUST NOT be edited or re-wrapped manually.
* Transfer via SCP/rsync/Git MUST use binary mode (no ``text mode`` / CRLF conversion).
* Permissions
* Private host keys: ``0600``, owned by ``root:root``.
* Public keys: ``0644``, owned by ``root:root``.
* Directories containing keys (e.g., ``/etc/ssh``, ``/root/.ssh``): at most ``0700`` or ``0755`` as appropriate.
## 2.5. Deterministic Host Keys (Internal Use Only)
Deterministic host keys MAY be used under the following strict conditions:
* Scope
* Only for:
* CISS internal infrastructure.
* Private test images.
* Environments where distribution, copying, and lifecycle are fully controlled.
* Distribution
* Deterministic keys are treated as sensitive secrets, not as generic assets.
* Storage:
* Encrypted at rest (e.g., SOPS/age, GnuPG, offline vault).
* Access controlled and audited.
* Injection:
* Keys are copied verbatim into config/includes.chroot using ``install`` or ``cp``.
* No templating, no inline heredocs with shell expansion, no sed/awk rewriting.
* Build-time validation
* After injection, each private key MUST be validated in the build pipeline:
* ``ssh-keygen -lf`` <key> MUST succeed.
* ``ssh-keygen -yf`` <key> MUST succeed (proves private key is parseable by libcrypto/OpenSSH).
* Any failure aborts the build.
* Runtime expectations
* For deterministic/internal images, SSH clients MAY:
* Pre-configure known_hosts with the expected host key fingerprint(s).
* Enforce ``StrictHostKeyChecking=yes``.
* Any mismatch is treated as a potential security incident.
* Prohibition
* Deterministic host keys MUST NOT be embedded into:
* Public ISOs.
* Customer-distributed generic images.
* Documentation examples.
* Reuse of the same deterministic key material across unrelated security domains is forbidden.
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
